chore(deps): pin js-cookie, tmp and brace-expansion (#3961)

Adds `pnpm.overrides` pinning a few transitive deps to their current
releases:

- `js-cookie` → 3.0.7
- `tmp` → 0.2.7
- `brace-expansion` → 1.1.13 / 2.0.3 / 5.0.6 (one entry per major)

Each override is scoped to the affected major range so unaffected majors
aren't dragged forward. Also drops the `fast-xml-builder` override,
which no longer resolves to anything in the tree.

Lockfile-only - no published package's dependencies change.
`js-cookie`/`tmp` parents pin ranges that can't reach the new versions
on their own, so overrides (not a plain lockfile refresh) are needed to
hold them.

Author: nicktrn

package.json

@@ -123,7 +123,11 @@
       "semver@>=5 <5.7.2": "^5.7.2",
       "defu@>=6 <6.1.5": "^6.1.5",
       "fast-uri@<3.1.2": "^3.1.2",
-      "fast-xml-builder@<1.1.7": "^1.1.7"
+      "js-cookie@<3.0.8": "3.0.8",
+      "tmp@<0.2.7": "0.2.7",
+      "brace-expansion@<1.1.13": "1.1.13",
+      "brace-expansion@>=2 <2.0.3": "2.0.3",
+      "brace-expansion@>=5 <5.0.6": "5.0.6"
     },
     "onlyBuiltDependencies": [
       "@depot/cli",